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•• The MAILING DATE of this communication appears on the cover sheet with the correspondence address - 
Period for Reply 



A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) OR THIRTY (30) DAYS, 
WHICHEVER IS LONGER, FROM THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1 .136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 133). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1 .704(b). 

Status 

1)S Responsive to communication(s) filed on 22 March 2007 . 
2a)S This action is FINAL. 2b)D This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 1 1 , 453 O.G. 213. 

Disposition of Claims 

4) S Claim(s) 1.4-12.16-21 and 24-28 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) D Claim(s) is/are allowed. 

6) G3 Claim(s) 1. 4-12. 16-21. and 24-28 is/are rejected. 

7) D Claim(s) is/are objected to. 

8) D Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) D The specification is objected to by the Examiner. 

10) D The drawing(s) filed on is/are: a)D accepted or b)Q objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1.85(a). 
Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 

11) D The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 

Priority under 35 U.S.C. § 119 

12) D Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 119(a)-(d) or(f). 
a)D All b)D Some * c)D None of: 

1 .□ Certified copies of the priority documents have been received. 

2. D Certified copies of the priority documents have been received in Application No. . 

3. D Copies of the certified copies of the priority documents have been received in this National Stage 

application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 
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1 DETAILED ACTION 

2 

3 This action is in response to the communication filed on 3/22/2007. 

4 All objections and rejections not set forth below have been withdrawn. 

5 Claims 1 , 4-12, 16-21 , and 24-28 are pending. 
6 

7 Claim Rejections - 35 USC § 102 

8 

9 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 

1 0 form the basis for the rejections under this section made in this Office action: 

11 A person shall be entitled to a patent unless - 

1 2 (b) the invention was patented or described in a printed publication in this or a foreign country or in public 

1 3 use or on sale in this country, more than one year prior to the date of application for patent in the United 

14 States. 
15 

16 Claims 1, 4-12, 16-21, and 24-28 are rejected under 35 U.S.C. 102(b) as 

17 being anticipated by Scott et al. (Scott), "Abstracting Application-Level Web 

18 Security". 

19 

20 Regarding claim 1 , Scott discloses: 

21 receiving data input through a web page from a client device (fig. 1 , page 2, col. 

22 1 , par. 3-6); referencing a declarative module to determine a client input security screen 

23 to apply to the data input from the client device (page 3, col. 2, par. 2); 

24 wherein the declarative module comprises: 
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1 a global section that includes at least one client input security screen that applies 

2 to any type of client input value (fig. 2; page 6, col. 1 , par. 1 , 2, par. 2, lines 9-1 3). Scott 

3 discloses input security screens (i.e. a transformation screen) that are applied to all user 

4 input (parameters values); 

5 an individual values section that includes at least one client input security screen 

6 that applies to a particular type of client input value (fig. 2; page 4, col. 1 ). Herein, Scott 

7 discloses screens for screening particular types of client input values (i.e. cookies, urls, 

8 other parameters). Thus Scott discloses an individual values section. 

9 and applying multiple client input security screens to the data input from the client 



1 0 device (page 3, col. 2, par. 2; fig. 2), including at least one client input security screen 

1 1 from the global section of the declarative module and at least one client input security 

1 2 screen from the individual values section of the declarative module, wherein the client 

1 3 input security screens are distinct from one another (page 3, col. 2, par. 1 , 2; fig. 2). 

14 Herein, Scott discloses separate screens. 



1 5 and wherein said act of referencing comprises first using the global section to 

1 6 screen one or more client input values and then using the individual values section to 

1 7 screen at least one of said one or more client input values (sect. 3.4, par. 3). 
18 

1 9 Regarding claim 4, Scott discloses: 

20 wherein the particular type of client input value is one of the following types of 

21 client input values: query string; server variable; form value; cookie (Scott, fig. 2). 
22 
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1 Regarding claim 5, Scott discloses: 

2 wherein the declarative module further comprises a web.config file (Scott, page 

3 1, col. 2, par.3; page 3, col. 2, par. 1). 
4 

5 Regarding claim 6, Scott discloses: 

6 wherein the applying the client input security screen further comprises executing 



7 a default action on invalid client input detected by the client input security screen (Scott, 

8 page 3, col. 2, par. 1, lines 8-13, par. 2, lines 5-11; page 4, col. 2, par. 3,4). Scott 

9 discloses the application of several types of input screening to all input data (default 

1 0 screening) wherein actions are performed on the all the input data during the process of 

1 1 data input security screening. Additionally, Scott discloses default transformations that 

12 can be applied during the screening of invalid input data. 
13 

14 Regarding claim 7, Scott discloses: 

1 5 wherein the applying the client input security screen further comprises executing 

1 6 a specified action on invalid client input detected by the client input security screen, the 

1 7 specified action being specified in the client input security screen (Scott, page 4, col. 1 , 

18 par. 4-6). 
19 

20 Regarding claim 8, Scott discloses: 

21 wherein a client input security screen further comprises one or more values that 

22 may be entered as client input, the one or more values further comprising the only 
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1 values that may be entered as client input (Scott, page 4, col. 1 , par. 4-6). Scott 

2 discloses a security screen that constrains client input to a set of values, such as any 

3 integer: 0 - int [length 4]. Thus, the security screen effectively comprises the values of 

4 0 - int [length 4] to be imposed upon the client input as a restriction. Additionally, Scott 

5 discloses that the security screen comprises specific URL values (extracted from HTTP 

6 requests) that may be entered as client input (Scott, page 6, col. 2, par. 1). 
7 



8 Regarding claim 9, Scott discloses: 

9 wherein a client input security screen further comprises one or more screened 

1 0 values that, when detected in the client input, cause an action to be taken on the client 

1 1 input (Scott, fig. 4; page 3, col. 2, par. 2; page 4, col. 2, par. 3). 
12 

13 Regarding claim 10, Scott discloses: 

1 4 wherein the action to be taken further comprises removing the one or more 



1 5 screened values detected in the client input (Scott, fig. 4; page 3, col. 2, par. 2; page 4, 

16 col. 2, par. 3, 4). Scott discloses the encoding of screened values (removal and 

1 7 replacement). Additionally, Scott discloses the removal of values from client input 

1 8 based upon the client input security screen (Scott, page 7, col. 2, par. 1 .1 - 1 .2) 
19 

20 Regarding claim 1 1 , Scott discloses: 
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1 wherein the action to be taken further comprises removing an entire string that 

2 contains the one or more screened values detected in the client input (Scott, page 6, 

3 col. 2, par. 3; fig. 5; page 9, col. 1, par. 2.2). 
4 

5 Regarding claim 12, it is the system claim corresponding to the method claim 1 , 

6 and is rejected for, at least, the same reasons, and furthermore because Scott 

7 discloses: 

8 a web page server unit configured to provide one or more web pages to one or 

9 more client devices over a distributed network (Scott, fig. 1 ). 
10 

1 1 Regarding claim 16, Scott discloses: 

1 2 wherein a screening rule further comprises a client input variable that may be 

1 3 accepted as input from a client (Scott, fig. 5). Scott discloses various screening rules 

1 4 that accept client input variables. 
15 

16 Regarding claim 17, Scott discloses: 

1 7 wherein a screening rule further comprises one or more screened characters 

1 8 that, when detected in client input, are screened from the client input according to a 

1 9 screening rule (Scott, fig. 5 - see transformation). 
20 

21 Regarding claim 18, Scott discloses: 
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1 wherein the screening rule further comprises a default screening action that is 

2 applied in the absence of a specified screening action (Scott, fig. 5 - see 

3 transformation). Scott discloses a single screening action that is to be performed, and 

4 thus, a default screening action. 
5 

6 Regarding claim 19, Scott discloses: 

7 wherein the screening rule further comprises a specified screening action that is 

8 applied to the screened client input (Scott, fig. 5 - see transformation). Scott discloses 

9 a single specific screening action that is to be performed. 
10 

1 1 Regarding claim 20, it is rejected, at least, for the same reasons as claim 5. 

12 

1 3 Regarding claim 21 , it is rejected, at least, for the same reasons as claim 1 , and 

14 furthermore because Scott discloses: 

1 5 serving a web page to a client over a distributed network; receiving client input 



1 6 via the web page (Scott, fig. 1 , page 2, col. 1 , par. 3-6); comparing the client input with 

1 7 multiple and distinct client input security screens stored in a security declarative module; 

1 8 wherein the security declarative module includes a global section configured to screen 

1 9 all types of client input values and an individual values section configured to screen 

20 particular types of client input values (see rejection of claim 1 ); if invalid client input is 

21 detected, performing a screening action on the invalid client input as indicated by the 

22 security declarative module (Scott, page 3, col. 2, par. 2; page 4, col. 2, par. 3; page 6, 
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1 col. 1 , par. 1 , 2; fig. 5); and wherein the client input security screens included in the 

2 security declarative module can be applied to multiple web pages (Scott, page 4, col. 1 , 

3 par. 2). 

4 Furthermore, Scott discloses a computer system, and thus discloses media and 

5 instructions (Scott, fig. 1). 
6 

7 Regarding claims 24 and 25, they are the media and instruction claims 

8 corresponding to the method and system claims of 5 - 7, 18, and 19, and they are 

9 rejected for, at least, the same reasons. 
10 

1 1 Regarding claim 26, Scott discloses: 

1 2 wherein the screening action further comprises a default action that is not 

1 3 required to be specified in a client input security screen (Scott, page 6, col. 1 , par. 1,2). 
14 

1 5 Regarding claims 27 and 28, Scott discloses: 

1 6 wherein the multiple web pages are included in a web project and wherein the 



1 7 multiple web pages are included in a web-based application (Scott, Abstract; 

18 Introduction; fig. 1; section 3.1; page 4, col. 1, par. 2; page 6, col. 1, par. 2, col. 2, par. 

19 1 ). Scott discloses a security policy to be applied to a large web-application, the policy 

20 comprising rules for the web pages of a site. The web pages are associated with a web 

21 application, thus, they are included in a web project/application. 
22 
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1 



Response to Arguments 



2 



3 



Furthermore, Applicant's arguments filed 9/22/2006 have been fully considered 



4 but they are not persuasive. 



5 



6 



Applicants argue primarily that: 



7 

8 (i) As discussed during the interview, Scott does not first use a global section to 

9 screen input values and then use an individual values section to screen at least one of 

1 0 the client input values. In point of fact, Scott would appear to teach directly away from 

1 1 any such notion... Yet, Scott instructs in section 3.4 entitled "The Security Gateway" 

12 that the validation constraints are first employed (i.e. what the Office considers as the 

13 "individual value section") and then the transformations are employed (i.e. what the 

14 Office considers as the "global section"). (Remarks, pg. 11, 12) 
15 

16 In response, the examiner respectfully notes that the applicant misinterprets the 

17 reference of Scott and has provided evidence contrary to the applicant's assertions. In 

18 fact, the applicant has pointed out, with reference to section 3.4, that Scott teaches first 

1 9 an application of transformations (such as a global encoding transformation) and 

20 secondly an application of validation constraints (section 3.4, par. 3). 
21 

22 
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1 Conclusion 

2 

3 The prior art made of record and not relied upon is considered pertinent to 

4 applicant's disclosure. 
5 

6 See Notice of References Cited. 

7 

8 Applicant's amendment necessitated the new ground(s) of rejection presented in 

9 this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP 

10 § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 

11 CFR 1.136(a). 

12 A shortened statutory period for reply to this final action is set to expire THREE 



1 3 MONTHS from the mailing date of this action. In the event a first reply is filed within 

14 TWO MONTHS of the mailing date of this final action and the advisory action is not 

1 5 mailed until after the end of the THREE-MONTH shortened statutory period, then the 

16 shortened statutory period will expire on the date the advisory action is mailed, and any 

17 extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 

18 the advisory action. In no event, however, will the statutory period for reply expire later 

1 9 than SIX MONTHS from the date of this final action. 
20 
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1 Any inquiry concerning this communication or earlier communications from the 

2 examiner should be directed to Jeffery Williams whose telephone number is (571 ) 272- 

3 7965. The examiner can normally be reached on 8:30-5:00. 

4 If attempts to reach the examiner by telephone are unsuccessful, the examiner's 

5 supervisor, Emmanuel Moise can be reached on (571) 272-3865. The fax phone 

6 number for the organization where this application or proceeding is assigned is 571- 

7 273-8300. 

8 Information regarding the status of an application may be obtained from the 

9 Patent Application Information Retrieval (PAIR) system. Status information for 

10 published applications may be obtained from either Private PAIR or Public PAIR. 

1 1 Status information for unpublished applications is available through Private PAIR only. 

12 For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 

1 3 you have questions on access to the Private PAIR system, contact the Electronic 

1 4 Business Center (EBC) at 866-21 7-91 97 (toll-free). If you would like assistance from a 

1 5 USPTO Customer Service Representative or access to the automated information 

16 system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
17 

18 

19 J.Williams 

20 AU: 2137 ^ 

21 -rri EMMARUEtLMOISE 

22 SUPERVISORY PATENT EXAMINER 



